FROM  THE  EDITORS  OF 


COMPUTERWORLD 


SECURITY 


Intranets  are  exposing 
corporate  networks  to 
increased  threat.  Pass¬ 
words  and  firewalls 


By  Laura  DiDio 


Officials  for  the  U.S 
Coast  Guard 
incredulous.  Despite 
all  their  precautions  and  safe  secu¬ 
rity  policies,  the  security  of  their 
corporate  intranet  had  been 
breached,  and  breached  badly.  A 
savvy  former  netv^^ork  administra¬ 
tor,  Shakunda  Devi  Singla,  had  per¬ 
suaded  a  fellow  Coast  Guard  work¬ 
er  to  loan  out  his  password  and  had 
then  dialed  into  the  intranet 
remotely  and  reportedly  (the  Coast 
Guard  still  isn’t  sure)  used  a  top 
secret  password  to  gain  access  to  a 
personnel  database. 

Once  in,  she  had  proceeded  to 


delete  personnel  information  from 
that  database. 

The  hack  itself  took  only  a  cou¬ 
ple  of  hours,  but  the  aftermath  was 
much  worse.  It  took  115  workers 
1,800  hours  to  restore  the  lost  data. 
Total  cost:  $40,000. 

Its  a  fact  that  corporate  networks, 
designed  to  share  and  transmit  data, 
are  inherently  insecure. 

The  addition  of  intranets,  which 
incorporate  Web  browsers  for  Inter¬ 
net  access,  and  extranets,  which 
enable  outsiders  such  as  customers 
and  business  partners  to  access  the 
corporate  network,  as  well  as  the 
emergence  of  electronic  commerce 


were 


are  no  longer  enough 


INSIDE  ■  SECURITY  TIPS,  PAGE  2  ■  FOREWARNED,  PAGE  3  ■  MASTERCARD,  PAGE  7 


SECURITY 


Continued  from  page  1 

can  make  the  enterprise  even  more 

porous  for  unwary  businesses. 

Sometimes  the  culprits  are  unwitting 
end  users  who  make  errors  that  com¬ 
promise  network  security  on  a  daily  basis. 
These  errors  range  from  the  arcane,  such 
as  dialing  into  forbidden  Internet  sites 
and  downloading  freeware  that  can  be 
riddled  with  viruses,  to  the  mundane, 
such  as  sharing  passwords  and  leaving 
systems  unattended.  These  actions  make 
the  intranet  easy  prey  for  hackers. 

So  what  can  be  done  to  combat  these 
threats?  Companies  need  to  start  with 
a  good  foundation.  That  means  imple¬ 
menting  strong  security  policies  and  pro¬ 
cedures  and  making  security  an  intrin¬ 
sic  part  of  network  operations  and  daily 
life.  We  talked  to  security  experts  and 
corporate  security  specialists,  asking  for 
their  suggestions  and  approaches.  Some 
of  their  recommendations:  Take  inven¬ 
tory  of  corporate  data,  use  more  than 
firewalls  for  security,  encrypt  sensitive 
corporate  data  and  conduct  audits  to 
assess  security  weaknesses.  Basically,  they 
say  companies  need  to  constantly  review 
security  procedures  and  practices. 

That’s  what  Bob  McKee  has  done  in 
response  to  the  growing  siege  of  intranets. 
McKee,  director  of  information  man¬ 
agement  security  at  The  Hartford  Insur¬ 
ance  Co.  in  Hartford,  Conn.,  and  a  13- 
year  veteran,  has  26  people  in  his  security 
organization.  The  22  security  managers 
and  four  disaster  recovery  and  business 
contingency  planning  managers  use  a 
combination  of  education,  accountability, 
common  sense  and  good  security  prod¬ 
ucts  to  safeguard  the  firm’s  data. 

“When  I  started,  security  was  much 
simpler.  Our  biggest  worry  was  pass¬ 
words  and  IDs  for  the  mainframe,” 
McKee  recalls.  The  introduction  of 
intranets,  Web  browsers  and  Internet 
access  has  made  security  a  7  by  24  job. 
Education  starts  with  the  employee’s  first 
day  on  the  job.  Along  with  a  booklet 
on  benefits  and  corporate  policies, 
employees  are  given  handouts  of  com¬ 
pany  security  policies  governing  com¬ 


puter  usage,  good  security  practices  and 
all  the  no-no’s. 

And  for  the  past  three  years,  The  Hart¬ 
ford,  in  conjunction  with  the  Comput¬ 
er  Security  Institute,  has  also  published 
Frontline,  a  quarterly  security  publica¬ 
tion  distributed  to  all  25,000  worldwide 
employees.  It  contains  articles  on  secu¬ 
rity  issues,  Internet  threats  and  vulner¬ 
abilities,  and  hackers.  The  end  result, 
McKee  says,  is  heightened  awareness. 

“We  realize  people  will  be  reluctant  to 
rat  out  their  employees  and  to  report 
security  violations.  We’re  not  looking  to 
nail  individuals  to  the  cross  —  we  want 
to  educate  them  and  make  sure  securi¬ 
ty  is  never  far  from  their  minds  so  they 
turn  the  computer  off  at  night,  don’t  keep 
their  passwords  pasted  to  the  monitor 

Security  Tips 

Here's  a  list  of  tips  for  securing  your 
intranet,  compiled  by  Peter  Shipley,  a 
security  architect  at  KPMG  Peat 
Marwick  in  San  Francisco. 

1 .  Don't  let  users  log  directly  on  to  an 
intranet  host  server. 

2.  Intranet  passwords  should  contain 
alpha  and  numeric  characters  in  both 
upper  and  lowercase  and  be  no  longer 
than  six  characters.  Limit  a  user's 
invalid  log-in  attempts. 

3.  Encrypt  sensitive  data  during 
transmission. 

4.  Restrict  the  use  of  .rhost  and 
host.equiv  files  that  let  users  access 
intranet  hosts  without  a  password. 

5.  install  intranet  detection  mecha¬ 
nisms  (i.e.,  intrusion  detection  and 
audit  trails). 

6.  Inventory  all  intranet  systems  and 
data,  and  have  an  intranet  disaster 
recovery  plan. 


and  don’t  download  freeware  from  the 
Internet,”  McKee  says.  “It’s  also  paid  off 
with  regard  to  the  increasing  number 
of  virus  hoaxes.  We  now  get  people  call¬ 
ing  us  immediately  when  they  suspect 
something,”  he  adds. 

McKee’s  biggest  intranet  security  con¬ 
cern  is  ensuring  that  he  has  the  right 
level  of  protection  for  all  the  servers. 
“I  determine  that  by  knowing  which 
departments  have  intranet  servers  up 
and  running  and  making  sure  that  we 
communicate  and  determine  if  the  data 
needs  to  be  protected,”  he  says.  So  far, 
he  adds,  the  proactive  measures  have 
helped  The  Hartford  avoid  a  serious  hit. 

FOOTING  THE  BILL 

Not  every  security  specialist  can  get  upper 
management  to  foot  the  bill  for  the  type 
of  intranet  security  The  Hartford  uses. 
“I  complain  and  complain  and  show  my 
managers  all  the  alarming  statistics  and 
clip  the  stories  about  the  hackers,  and 
it  still  does  no  good,”  says  the  security 
administrator  at  a  Fortune  1 ,000  firm  in 
the  Northeast  who  requested  anonymi¬ 
ty.  While  the  firm  does  have  firewalls  and 
antivirus  packages  installed,  the  securi¬ 
ty  manager  says  he  still  worries  because 
“the  virus  products  are  three  versions  old, 
and  we  don’t  have  the  latest  upgrades  for 
the  firewalls.  You  could  say  I  pray  a  lot.” 

Corporations  that  ignore  security  and 
fail  to  implement  security  policies  and 
procedures  do  so  at  their  own  risk,  says 
Mark  Gembicki,  president  of  Warroom 
Research,  Inc.,  a  security  consultancy  in 
Annapolis,  Md.  “If  you’re  not  proac¬ 
tive  about  safeguarding  your  data,  it’s  a 
question  of ‘when,’  not  ‘if’  you’ll  get 
hacked,”  he  says. 

With  such  bleak  prognostications, 
what  can  be  done  to  ward  off  disaster? 
Plenty,  security  administrators  and  ana¬ 
lysts  say. 

Warroom’s  Gembicki  advises  busi¬ 
nesses  to  take  inventory  of  all  data,  deter¬ 
mine  what  needs  protection,  pinpoint 
areas  of  vulnerability  and  add  appro¬ 
priate  security  devices  and  policy  mea¬ 
sures.  If  you  have  a  server  with  sensi- 


2  COMPUTERWORLD  INTRANETS  JULY  27,  1998  WWW. com puterworld .com/i ntranets 


COVER  PHOTOGRAPH  BY  JOHN  SOARES 


Forewarned  and  Forearmed 


here's  no  substitute  for 
thorough  planning. 

Mike  Anderson  is  a 
former  security  investi¬ 
gator  at  the  Internal  Revenue  Service 
who  co-founded  New  Technology, 

Inc.,  a  security  consulting  firm  in 
Portland,  Ore.,  that  caters  to  Fortune 
500  accounts.  He  says  many  of  his 
clients  are  "astounded  to  find  that 
we  can  frequently  hack  into  systems 
and  networks  in  30  minutes  or  less," 
despite  the  fact  that  they  think  they’ve 
done  all  the  right  things  to  secure 
their  intranets. 

One  of  Price  Waterhouse's  Tiger 
Team  customers,  a  Fortune  100  manu¬ 
facturing  business,  was  very  proactive 
about  installing  the  latest  firewall 
equipment  and  maintaining  good  secu¬ 
rity  policies,  says  Gary  Loveland,  a 

tive  financial  data  on  it,  limit  access  or 
physically  isolate  the  financial  network 
from  the  Web  server.  “Security  activities 
like  these  are  ongoing,  constant  process¬ 
es,  like  weeding  the  garden.  If  you  don’t 
do  it  regularly,  you  will  be  overrun  with 
weeds  —  or  hackers,”  Gembicki  says. 

Taking  inventory  of  all  corporate  data 
is  pragmatic  from  a  cost  savings  basis 
as  well,  says  Mark  Fabro,  director  of  risk 
assessment  at  Secure  Computing,  Inc. 
who  performs  ethical,  or  “white  hat,” 
hacks  for  his  business  clients.  Many  firms, 
he  notes,  have  limited  funds  and  can’t 
afford  the  latest  and  greatest  firewall  or 
antivirus  version.  “Taking  inventory  of 
all  corporate  data  helps  the  manager 
decide  which  data  most  needs  to  be 
secured.  If  you  have  people  who  rarely 
access  public  data  networks  or  do  a  lot 
of  messaging,  chances  are  they  can  get 
by  with  older  virus  packages.” 

Firewalls  have  become  something  of 
a  two-edged  sword.  On  the  one  hand, 
they  do  represent  a  good  first  line  of 
defense  and  a  necessary  component  in 
the  overall  intranet  security  infrastruc¬ 
ture.  But  they  can  also  lull  businesses  into 
a  false  sense  of  complacency. 


partner  in  Price  Waterhouse's  IS  risk 
management  group.  The  Tiger  Team's 
initial  attempts  to  defeat  the  firm's 
intranet  security  were  repulsed. 

However,  the  company  did  have  one 
glaring  weakness:  it 
had  recently  acquired  a 
subsidiary  and  attached 
that  firm's  network  to 
the  corporate  backbone. 

"Not  only  did  they  not 
check  for  that  but  the 
subsidiary  had  a  live 
connection  to  the 

Internet  and  the  company  didn't  real¬ 
ize  it,"  Loveland  says. 

And  then  there  are  just  some  busi¬ 
nesses  that,  despite  threats  and  warn¬ 
ings,  refuse  to  take  security  seriously. 

Anderson  relates  that  one  of  his 
clients  —  an  international  oil  com¬ 


pany  —  had  no  security  policies  or 
procedures  in  place.  "We  told  them 
their  laxity  meant  they  had  no  way  of 
even  knowing  if  their  networks  were 
hacked.  Needless  to  say,  they  quick¬ 
ly  rectified  the  matter,"  Anderson 
explains. 

Most  of  Anderson's  clients  though. 


IN  AN  EXCLUSIVE  Warroom  Research 
survey  due  out  next  month,  of  320  firms 
polled  on  the  likelihood  of  a  security 
crisis  hitting  them  by  the  Year  2000, 
100%  say  it  is  possible. 


are  doing  just  the  opposite.  "We  have 
an  increasing  number  of  businesses 
that  are  asking  us  for  'special'  ways  to 
encrypt  their  data,  especially  as  it 
relates  to  intranets  and  the  Internet 
and  electronic  commerce,"  he  says. 

—  LAURA  DIDIO 


“Firewalls  are  like  a  gate  around  your 
property:  They  guard  the  perimeter.  But 
they  can  also  be  like  France’s  Maginot 
line:  If  there’s  a  security  hole  in  your  net¬ 
work  operating  system,  operating  sys¬ 
tem  or  application,  the  hacker  will  sim¬ 
ply  bypass  the  firewall  and  get  right  to 
your  sensitive  data,”  Fabro  says. 

SCALING  THE  FIREWALL 

Peter  Shipley,  a  security  analyst  at  KPMG 
Peat  Marwick  LLP  in  San  Francisco, 
ought  to  know.  In  his  former  incarna¬ 
tion  as  the  hacker  “Evil  Pete,”  he  regu¬ 
larly  and  easily  invaded  corporate  sys¬ 
tems  —  going  around  or  hacking  right 
through  firewalls.  His  experiences  pro¬ 
vide  valuable  insight  on  how  easy  it  is 
to  compromise  the  corporate  network  if 
users  are  unwary  or  unmindful  of  prop¬ 
erties  of  their  software  and  hardware. 

For  instance,  it  can  be  fairly  easy  to 
hack  the  firewall’s  host  hardware.  “If  the 
firewall  runs  on  a  Windows  NT  or  Unix 
box,  it  may  be  possible  to  break  into 
the  underlying  operating  system  by  hack¬ 
ing  into  the  TCP/IP  address  or  via  the 
dial-up  modem.  That’s  a  common 
method  hackers  use  to  bypass  the  fire¬ 


wall  and  gain  direct  access  to  intranet 
systems  and  servers,”  Shipley  says. 

To  further  compromise  an  already- 
hacked  network,  hackers  often  install  a 
common  network  sniffer.  Sniffers  are 
devices  used  for  network  diagnostics. 
“But  they  can  also  be  deployed  for  covert 
data  interception  on  intranet  and  HTTP 
telnet  and  FTP  servers,  to  name  just  a 
few,”  Shipley  says.  The  solution  is  to 
do  thorough,  regular  inventory  checks 
of  every  device  on  the  network  and 
remove  suspicious  gear. 

Fabro  also  recommends  that  security 
managers  and  network  administrators 
thoroughly  check  and  test  their  firewall 
configurations  on  a  test  network  before 
installing  them  on  a  production  server. 
“Errors  in  firewall  configurations  are  very 
common.  Use  common  sense  —  don’t 
just  take  it  out  of  the  box  and  put  it  on 
your  network.  A  firewall  that’s  config¬ 
ured  improperly  is  use¬ 
less,”  he  says. 

Once  the  hackers  enter 


your  corporate  intranet  via 
firewalls,  software  or  oper¬ 
ating  systems,  they  can 
Continued  on  page  6 


To  learn  more  about  the 
risks  of  ignoring  security, 
visit  Intranets  online  at 

wwnxomputerworld.com/'intrdnets 


WWW.COmputerworld.COm/intranetS  JULY  27,  1998  COMPUTERWORLD  INTRANETS  3 


A  closed  network  is  on  oxymoron. 


I 

I 

i 


©1998  Novell,  Inc.  All  rig'.ts  reserved.  Novell  and  NetWare  are  registered  trademarks  and  the  No  Limits  button  is  a  trademark  of  Novell,  Inc.  in  the  United  States  and  other  countries. 


Novell 


SECURITY 


Continued  from  page  3 
roam  at  will,  wreaking  havoc  and  then 
“gracefully  covering  their  tracks,”  Ship- 
ley  says.  Even  scarier,  using  tricks  of  the 
trade  such  as  log  modification  tools,  they 
can  cover  their  tracks  and  destroy  all  evi¬ 
dence  of  their  presence. 

“Hackers  can  cover  up  an  invasion  and 
make  an  attack  look  like  an  act  of  God, 


'WE'RE  NOT  LOOKING  TO  nail  individ¬ 
uals  to  the  cross  —  we  want  to 
educate  them  and  make  sure  secu¬ 
rity  is  never  far  from  their  minds/' 

BOB  MCKEE,  THE  HARTFORD 


such  as  a  disk  crash.  And  that’s  not  the 
end  of  it  —  they  often  thoughtfully  leave 
backdoors  for  themselves  to  gain  reentry,” 
Shipley  says. 

One  obvious  solution:  Encrypt  sen¬ 
sitive  corporate  data  to  make  it  harder 
for  prying  eyes  to  see.  This  usually  means 
two-factor  authentication  that  includes 
encrypted  data  and  user  PINs. 

KEEP  PACE  WITH  GROWTH 

That’s  what  Reliant  General  Insurance 
Services,  Inc.  did  to  batten  down  the 
hatches  on  its  corporate  intranet.  The 
San  Diego-based  firm,  which  insures 
high-risk  motorists,  has  seen  explosive 
growth  in  its  business  in  the  wake  of  Gal- 
ifornia  making  insurance  mandatory 
in  1997.  But  with  that  growth.  Reliant 
had  to  find  new  ways  to  safeguard  its 
data  because  all  of  the  company’s  under¬ 
writers  worked  from  home  using  inse¬ 
cure,  dial-up  modems,  says  Cary  White, 
Reliant’s  director  of  MIS. 

“We  can’t  afford  a  hack.  There’s  too 
much  sensitive  customer  information 
being  transmitted  from  our  remote 
underwriters  to  our  intranet  via  the  Inter¬ 
net.  If  we  got  hacked,  there  would  be  big 
fallout.  I’d  expect  customers  to  go  to  our 
competitors  for  their  insurance,”  he  says. 

Reliant’s  solution  was  to  install  a  vir¬ 
tual  private  network  from  Axent  Tech¬ 
nologies,  Inc.,  which  provided  the  com¬ 


pany  with  encrypted  passwords  and  data, 
as  well  as  encryption  at  the  firewall. 

As  for  the  applications,  operating  sys¬ 
tems  and  network  operating  systems, 
they  too  should  be  thoroughly  tested. 
And  network  administrators  and  secu¬ 
rity  managers  need  to  familiarize  them¬ 
selves  with  the  ins  and  outs  of  the  sys¬ 
tem.  Windows  NT,  for  example,  has 
lately  become  a  favorite 
hacker  target.  But  NT  secu¬ 
rity  is  no  better  or  worse 
than  that  of  most  rivals. 

The  problem  is  that  NT 
comes  out  of  the  box  in  an 
inherently  “trusting”  man¬ 
ner.  It’s  up  to  the  network 
administrator  to  mrn  on  the 
existing  security  controls.  NT  Server  does 
contain  things  such  as  intruder  account 
security,  which  lets  the  network  admin¬ 
istrator  lock  an  account  if  the  password 
is  entered  incorrectly  a  specified  num¬ 
ber  of  times. 

But  first  you  have  to  know  it’s  there, 
and  there’s  no  substitution  for  hands-on 
training.  Jeff  Dazell,  LAN  network  ser¬ 
vices  administrator  at  Dana  Gorp.,  a 
$7  billion  automotive  parts  manufac¬ 
turer  with  45,000  employees  worldwide, 
says  his  network  administrators  took  “18 
months  to  get  fully  up  to  speed”  on  NT 
security.  Part  of  the  issue  was  that  NT 
4.0  was  a  new  operating  system  with 
1 6  million  lines  of  code.  And  as  with  any 
new  operating  system,  there  are  always 
issues  of  backward  compatibility  with 
older  operating  systems  and  applications. 

If  the  network  administrator  isn’t  savvy 
enough  to  implement  the  security  default 
parameters,  internal  and  external  hack¬ 
ers  could  get  carte  blanche  supervisory 
rights  to  access,  delete,  write  and  execute 
other  users’  files  that  share  the  same  Win¬ 
dows  NT  domain  directory. 

The  fix  for  this  is  simple  and  free.  The 
network  administrator  must  remove  the 
full  access  control  at  installation  and  then 
grant  users  more  appropriate  read/ write 
access  privileges.  Another  smart  move  is 
to  disable  the  Guest  accounts  and  rename 
the  Administrator  accounts. 


Point  solutions  for  securing  the 
intranet  all  work  well,  but  to  really  min¬ 
imize  the  chances  of  a  successful  intranet 
hack,  experts  advise  businesses  to  get  a 
security  audit  or  risk  assessment  check. 
Prices  range  from  thousands  to  hundreds 
of  thousands  of  dollars,  depending  on 
the  size  and  scope  of  the  organization. 
For  a  fee,  security  consulting  firms, 
including  all  Big  Six  accounting  firms, 
will  come  in  and  perform  an  ethical  hack 
designed  to  pinpoint  the  strengths  and 
weaknesses  in  the  organization. 

Gary  Loveland,  a  partner  in  Price 
Waterhouse’s  IS  risk  management  group, 
says  an  initial  sweep  of  a  user’s  premis¬ 
es  uncovers  no  lack  of  antivirus  software 
or  protective  devices,  such  as  router-  or 
Internet-based  firewalls.  “Users  have  gird¬ 
ed  for  battle  and  are  generally  armed  to 
the  teeth  with  the  latest  security  devices. 
The  biggest  vulnerability  we  see  is  that 
businesses  don’t  take  the  time  to  really 
assess  where  their  weaknesses  are.  They’re 
usually  tripped  up  by  some  silly  back¬ 
door  that’s  been  left  open,”  he  says. 

In  this  era  of  mergers  and  acquisitions, 
a  company  that  has  taken  all  the  right 
precautions  might  unwittingly  com¬ 
promise  its  entire  enterprise  network  by 
adding  a  newly  acquired  subsidiary  net¬ 
work  to  the  enterprise.  “A  newly  acquired 
company,  especially  if  it’s  small,  could 
have  big  gaps  in  its  network.  So  we  advise 
companies  to  scrutinize  security  before 
adding  new  networks  onto  the  enter¬ 
prise,”  he  says. 

Look  at  the  Goast  Guard:  They  took 
all  the  right  precautions  and  still  got 
attacked.  Sad  to  say,  the  Coast  Guard 
was  lucky,  according  to  Chris  Klaus,  chief 
technology  officer  at  Internet  Security 
Systems,  Inc.  in  Atlanta.  “Not  only  did 
they  get  off  cheap  —  $40,000  data  loss¬ 
es  from  intranet  hacks  are  nothing  these 
days  —  but  they  got  off  easy.  They  were 
able  to  identify  the  data  that  was  lost  and 
restore  it,”  he  says. 


DiDio  is  a  Computerworld  senior 
editor,  security  and  network  operat¬ 
ing  systems. 


6  COMPUTERWORLD  INTRANETS  JULY  27,  1998  WWW. computerworld. com/intranets 


PROJECT:  MASTERCARD  INTERNATIONAL.  INC. 

Going  Above  and  Beyond  the  Firewall 

By  Steve  Alexander 


redit-card  firm  Master- 
Card  International,  Inc. 
has  gone  well  beyond  the 
use  of  firewalls  to  insure 
the  security  of  data  shared 
among  2,400  internal 
users  and  23,000  finan¬ 
cial  institutions  world¬ 
wide.  Purchase,  N.Y.- 


ID,  which  have  a  litde  window  with  pass¬ 
word  digits  that  change  every  two  min¬ 
utes.  Those  changes  are  synchronized  to 
an  algorithm  in  the  computer  system. 

The  firm  also  uses  an  internally  devel¬ 
oped  piece  of  security  software  called 
MasterCard  Online,  which  resides  on  its 
own  server  and  interacts  with  a  sepa¬ 
rate  secure  ID  server  and  Cisco  Systems, 
Inc.  routers.  The  firewall  comprises  all 
three  pieces.  All  extranet  applications 


based  MasterCard  uses  a  variety  of  ride  on  top  of  MasterCard  Online,  which 


security  approaches,  from  traditional 
passwords  to  secure  ID  cards  that  gen¬ 
erate  ever-changing  passwords.  Sam 
Alkhalaf,  St.  Louis-based  senior  vice  pres¬ 
ident  of  technology  and  strategic  archi¬ 
tecture,  explains  the  security  strategy. 

WHAT  THEY’RE  DOING 

MasterCard  uses  passwords  but  deals 
with  problems  such  as  people  forgetting 
them  or  using  obvious  passwords.  Some 
users  have  ID  cards  that  can  be  read  by 
card  readers.  In  addition,  about  2,000 
users  who  need  greater  security  use  secure 


MASTERCARD'S 
SAM  ALKHALAF: 
Users  may  not  use  a 
security  procerlure  they 
perceive  as  too  difficult 


provides  them  with  common  commu¬ 
nications,  security  and  encryption. 

Applications  servers  are  on  protect¬ 
ed  network  segments,  with  applications 
invoked  only  through  the  MasterCard 
Online  desktop  icon.  Users  must  be 
authenticated  to  gain  access  to  applica¬ 
tions,  and  additional  levels  of  security 
can  be  added  at  the  screen  or  field  level. 

BENEFITS 

Benefits  include  a  consistent  security  pol¬ 
icy  across  all  kinds  of  different  applica¬ 
tions;  applications  that  can  leverage  Mas¬ 
terCard  Online’s  security  strength  with 
little  or  no  incremental  investment;  and 
side  processes  such  as  managing  user  IDs, 
which  are  handled  for  the  user  and  are 
well-defined  and  proven. 

WHAT'S  AHEAD 

MasterCard  is  looking  at  new  ways  to 
use  passwords.  From  a  cost  perspective, 
the  combination  of  a  password  and  the 
secure  ID  card  is  extremely  effec¬ 
tive  for  the  level  of  secu¬ 
rity  it  provides.  It’s  like 
a  bank  ATM  machine. 
The  company  has 
looked  at  biometric  tech¬ 
nology,  which  recognizes 
fingerprints,  faces  or  the  iris 


of  the  eye.  The  trouble  is  that  those 
methods  are  expensive. 

MasterCard  has  also  taken  a  pre¬ 
liminary  look  at  the  adaptive  firewall, 
which  identifies  potential  threats  by 
looking  at  patterns  of  use. 

TECHNICAL  CHALLENGES 

Security  places  a  burden  on  users,  who 
may  not  use  an  application  if  they  per¬ 
ceive  the  security  procedures  as  too  dif¬ 
ficult.  As  a  result,  the 
secure  ID  cards  are  used 
only  for  very  sensitive 
applications. 


WHAT'S  ONLINE 


TOOLS 

Every  firewall  comes  with 

its  own  audit  trail  logs.  MasterCard  may 

add  its  own  alerts.  MasterCard  Online 

is  a  custom-developed  application.  The 

Secure  ID  cards  come  from  Security 

Dynamics  Technologies  in  Bedford, 

Mass. 

RETURN  ON  INVESTMENT 

The  firm  believes  MasterCard  Online 
allows  it  to  bring  new  applications  to 
market  more  quickly  by  answering  about 
90%  of  security  concerns. 

ADVICE 

Establish  a  group  dedicated  to  data  secu¬ 
rity  and  form  an  incident  response  team 
to  respond  to  security  breaches.  Also,  use 
independent  consultants  or  third  parties 
for  security  reviews  and  simulated  attacks 
on  your  firm’s  network.  Lastly,  be  sure 
your  extranet  users  have  a  clear  idea  of 
their  responsibility  to  keep  your  data  and 
network  data  confidential. 

Alexander  is  a  freelance  writer  in 
Edina,  Minn. 


For  an  expanded  view  of 
this  project  with  RealAudio 
clips,  point  your  browser  to 

www.computerwortd.com/intranets 


COMPUTERWORLD  INTRANETS  is  published  monthly  on  the  fourth  Monday  of  the  month  as  a  supplement  to 
Computerworld.  Project  Editor:  Amy  Malloy;  Managing  Editor:  Kimberlee  A.  Smith;  Art  Director;  Mary  Beth  Welch; 
Computerivorld  Magazines  Editor;  Alan  Alper.  Phone:  (800)  343-6474;  E-mail:  alan_alper@civ.com. 


PHOTOGRAPH  BY  MARC  KATZMAN 


WWW.COmputerworld.com/intranetS  JULY  27,  1998  COMPUTERWORLD  INTRANETS  7 


©  1998  Novell.  Inc  All  rights  reserved  Novell  is  □  registered  trademork,  and  Z.E  N. works  and  No  Limits  are  trodemorks  ol  Novell,  Inc.  in  the  United  States  and  other  countries. 


DON'T  LET  THE  DESKTOP 
SLOW  YOU  DOWN. 


The  PC  is  a  necessary  evil.  But  to  your  users  it  con  feel  like  more  trouble  than  it's  worth. 
They  wait  for  repairs.  They  wait  for  applications.  They  wait  for  upgrades. 

If  they  could  stop  waiting,  they  could  get  working. 

Introducing  Z.E.N.works™  from  Novell®. 


Z.E.N. works  allows  the  IS  department  to  manage  applications  and  upgrades  from  a  single  location. 
Users  click  on  an  icon  and  the  application  loads  itself. 

When  an  application  is  broken  it  locates  the  problem  and  repairs  itself  from  the  network  copy, 
often  without  the  user  being  aware  that  anything  was  wrong. 

If  the  user  has  a  problem  with  their  desktop,  they  can  click  on  an  icon  to  connect  to  the 
appropriate  person  and  demonstrate  the  problem  remotely. 

Z.E.N.works  leverages  the  power  of  Novell  Directory  Services™  so  that  users  have  a  digital  persona  with  their 
unique  combination  of  access,  preferences  and  applications,  regardless  of  which  desktop  they  use. 

In  other  words,  you  get  the  benefits  of  an  NC  from  your  PC. 

To  see  how  a  networked  desktop  can  end  the  waiting 
and  make  your  users  more  productive,  check  out  our  Z.E.N.works  trial  CD. 

Just  visit  us  at  www.novell.com/zencd 


Novell 


z 


N.  W 


K 


